Identity protection is a full-time job'for each user and sysadmin

By William Jackson

Mar 24, 2004

Protecting personal identity from theft requires more than people being careful about how they use credit cards online, says Dennis H. McCallam of Northrop Grumman Corp.

'This is what everybody is looking out for, protecting yourself online,' McCallam said today at the FOSE conference in Washington. But personal data is so widely distributed that protection from identity theft involves all aspects of system security and management.

'Identity protection and identity management are one and the same,' said McCallam, an information assurance technical fellow at Northrop Grumman.

People should take basic steps such as using a personal firewall and scanning for spyware on PCs, but systems administrators and security officers also need to secure enterprises where sensitive data resides. Strong access control, event monitoring and auditing are necessary, he said.

'Run a scan,' McCallam said. 'You have to find out what you have.' He acknowledged that configuration management is a pain but called it necessary to ensure that systems are adequately protected.

Strong passwords are necessary, and random characters or numerals should be included in the first seven characters, not tacked on at the end, because Microsoft Windows stores and acts on only the first seven characters. That is why 'Windows passwords are so much easier to break' than those used to access Unix systems, McCallam said.

He also advised using Microsoft Active Directory.

'Really embrace Active Directory,' he said. 'It's kind of hard to deal with, but it's not a bad way to manage identity across a system.'